Your message dated Wed, 11 Mar 2015 05:08:21 +0000
with message-id <e1yvysx-0007fl...@franck.debian.org>
and subject line Bug#780059: fixed in youtube-dl 2014.08.05-1+deb8u1
has caused the Debian Bug report #780059,
regarding youtube-dl: Forces SSLv3, incompatible with Python 2.7.9
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780059: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780059
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: youtube-dl
Version: 2014.08.05-1
Severity: grave
Tags: patch
Justification: renders package unusable
Control: fixed -1 2015-01-16-1
Upstream is doing some crazy stuff with SSL. Fortunately, they admit this in
their git history, and have improved things since the 2014.08.05 release.
The protocol is forced to SSLv3, rather than negotiating the latest protocol
supported by both sides. There is a fallback path to negotiation, but it
doesn't work when PROTOCOL_SSLv3 isn't available in the Python ssl module (as
is the case, since 2.7.8-12).
The attached patch should fix the issue.
SR
Description: Support Python 2.7.9, which removed PROTOCOL_SSLv3
In fact, don't try to force an SSL version at all. Debian OpenSSL doesn't
support insecure versions.
Upstream use Python's default SSL handshake since
https://github.com/rg3/youtube-dl/commit/0db261ba567cb5370455d67c4398e11e5e2119f8
And switches to TLSv1 in legacy paths in
https://github.com/rg3/youtube-dl/commit/d79323136fabc2cd72afc7c124e17797e32df514
Author: Stefano Rivera <stefa...@debian.org>
Forwarded: not-needed
Last-Update: 2015-03-08
--- a/youtube_dl/utils.py
+++ b/youtube_dl/utils.py
@@ -588,17 +588,14 @@
if getattr(self, '_tunnel_host', False):
self.sock = sock
self._tunnel()
- try:
- self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
- except ssl.SSLError:
- self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
+ self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
class HTTPSHandlerV3(compat_urllib_request.HTTPSHandler):
def https_open(self, req):
return self.do_open(HTTPSConnectionV3, req)
return HTTPSHandlerV3(**kwargs)
else:
- context = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
+ context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.verify_mode = (ssl.CERT_NONE
if opts_no_check_certificate
else ssl.CERT_REQUIRED)
--- End Message ---
--- Begin Message ---
Source: youtube-dl
Source-Version: 2014.08.05-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
youtube-dl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <stefa...@debian.org> (supplier of updated youtube-dl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Mar 2015 21:05:34 -0700
Source: youtube-dl
Binary: youtube-dl
Architecture: source all
Version: 2014.08.05-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Rogério Brito <rbr...@ime.usp.br>
Changed-By: Stefano Rivera <stefa...@debian.org>
Description:
youtube-dl - downloader of videos from YouTube and other sites
Closes: 780059
Changes:
youtube-dl (2014.08.05-1+deb8u1) jessie; urgency=medium
.
* Non-maintainer upload.
* Use SSL protocol negotiation, rather than requiring SSLv3 (which is no
longer supported in python 2.7.9). Closes: #780059.
Checksums-Sha1:
b331dbb7a6e63c7ba5109750e8c5de89270d6fd4 1615
youtube-dl_2014.08.05-1+deb8u1.dsc
00f034c91bad2b73bdc24f8c6a7968f3f21dad49 43652
youtube-dl_2014.08.05-1+deb8u1.debian.tar.xz
a434daf64c3d587a5af308bfb3267e221c3bc8fa 322690
youtube-dl_2014.08.05-1+deb8u1_all.deb
Checksums-Sha256:
898248e98fc4a459a9f583875f32b9a476f906609cc4361669a1ebb11fbb1250 1615
youtube-dl_2014.08.05-1+deb8u1.dsc
180b3d5a69ae44f9544417a6a9f3f3f31a60593957b69f282459b57c57466978 43652
youtube-dl_2014.08.05-1+deb8u1.debian.tar.xz
7f7c7c7eb6781eaed262efb7b703273a324a3c4c83abd3d43bf1c3ef5fc1b83b 322690
youtube-dl_2014.08.05-1+deb8u1_all.deb
Files:
0567037f1768181e0deb25bad6a769f4 1615 web extra
youtube-dl_2014.08.05-1+deb8u1.dsc
f5abb47ec74eef9c690ee4877da1a6e8 43652 web extra
youtube-dl_2014.08.05-1+deb8u1.debian.tar.xz
65377ad8cf16c1b88efda65698a1676b 322690 web extra
youtube-dl_2014.08.05-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCgAGBQJU/8iQAAoJEOrxkryqPw9RYtMH/1Ti23rXzAHd+lWhzsT+3rJ1
RemmVZyTPGYD3KrTa6IGw5hfyG2HjgcgfX9MnFxHxkmfYiYnYhBAR9VVxjg+F3HY
O4oQVnWZmNfhJMm/KRQL4LunfgBZoFNYSr/1DPq8WkT1fSg4HJgymHARVUaV4HbB
4nK2QXuQOZgI/hhnefR+3I2i5qKx0Vx3dbIKoz3Y3MKLZBSTIdkzYV2eUuz8ZcNx
XaQJpqHaI3MFVpHpmGrnPSQCY51FKGT5MXOL7bb4Z1dvEszUvjo/DSS31u4RDYWO
JzLnytp5cArpLRJzQOxRLGQsTEeOgk6Vy4L44mqrDXemNmmIVNPIh72DjjJE/HU=
=2JNi
-----END PGP SIGNATURE-----
--- End Message ---
